The present invention relates to a password management system, and more particularly to a system that creates/stores passwords for user authentication.
A password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource, which should be kept secret from those not allowed access. In modern computing systems, passwords are generally used to allow a user to access secure, private, information that is not accessible to the public, such as banking and financial records, health records, e-mail, etc.
In the field of computer security, many techniques exist for authenticating or otherwise securing user access to a computer or to a specific computing resource. In particular, it is well-known to associate a user with a confidential password, usually in conjunction with a log-in name or other identifier that is also associated with the user, and to then require entry of the appropriate identifier/password combination before granting access to a requested computer or computing resource.
Ideally, only the user or an authorized agent of the user will have knowledge of the password required to gain access to the computer or computing resource in question. In practice, however, it may be possible for unauthorized actors to obtain the required password, and thereby to gain elicit access to the computer or computing resource in question.
For example, a user may obtain a password for accessing a computing resource. At a later time, an unauthorized user may attempt to guess or otherwise determine the password in question. For example, the unauthorized user may utilize well-known techniques for attempting to determine a desired password. In another example, such techniques may involve “brute force” techniques, in which different combinations of characters or symbols (e.g., letters or numbers) are selected and attempted repetitively, either at random or in a specified manner, until if and when the actual correct password is selected and attempted.
In order to prevent a success of these and various other known techniques for illicitly determining a desired password, authorized users in the process of password creation may be advised, requested, or required to select a password that is thought to be relatively unsusceptible to determination by such techniques. Such passwords may generally be referred to as “strong” passwords, where, in this context, the strength of a password may generally be understood as being inversely proportional to the susceptibility to the types of password determination techniques referenced above. That is, stronger passwords, by definition, are less susceptible to one or more password-determination techniques. Known metrics exist for measuring password strength, which may consider, for example, inclusion of non-alphanumeric characters, mixing of different types of characters (e.g., letter and numbers), a length of time that a given password has been in use, and other factors which are thought to influence password susceptibility (e.g., factors which influence a likelihood of determining a password, or which influence a quantity of time and/or computing resources needed to determine a password).
However, such measures of password strength may vary, e.g., depending on the type of password determination technique that is being used. Moreover, it may be difficult or inconvenient for users to create and utilize passwords having required levels of strength, or otherwise to maintain their passwords in a way which minimizes susceptibility to determination thereof by potential unauthorized users. Consequently, although reliance on password-based protection schemes remain prevalent throughout the field of computer security, it is often the case that the actual protection provided thereby may be inadequate, and may provide a relative point of weakness in providing secured user access.